Re: something magic about SYS.LINK$ ?

>>Maxim Demenko wrote:>>>>>EdStevens schrieb:>>>>>>>Oracle 9.2.0.7.0 on Win2003>>>>>>>>Stumbled on to this, and don't have an explanation:>>>>>>>>Connected as SYSTEM, with the standard, out-of-the-box DBA role:>>>>>>>>system_at_NPSTDB.WORLD> select count(*) from sys.link$;>>>>select count(*) from sys.link$>>>> *>>>>ERROR at line 1:>>>>ORA-01031: insufficient privileges>>>>>>>>A little further hunting shows that there are only 2 of the sys.$>>>>tables that this happens on ... SYS.LINK$ and SYS.USER_HISTORY$>>>>>>>>>>>>???>>>>>>>>>>Maybe issue of O7_dictionary_accessibility ? If set to FALSE, all tables>>>owned by SYS must be granted explicitly ( select any table combined with>>>select any dictionary are not sufficient ).>>>>>>Best regards>>>>>>Maxim>>>>Well, O7_dictionary_accessibility = false, but if that were the issue,>>I shouldn't be able to get any of the sys.%$ tables, right?>>>>C:\>sqlplus system_at_npsp9>>>>SQL*Plus: Release 9.2.0.1.0 - Production on Fri Sep 2 13:01:52 2005>>>>Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.>>>>Enter password:>>>>Connected to:>>Oracle9i Release 9.2.0.7.0 - Production>>JServer Release 9.2.0.7.0 - Production>>>>SQL>>>SQL> show parameter O7>>>>NAME TYPE VALUE>>------------------------------------ ----------->>------------------------------>>O7_DICTIONARY_ACCESSIBILITY boolean FALSE>>>>>>SQL> select table_name>> 2 from dba_tab_privs>> 3 where owner='SYS'>> 4 and grantee='SYSTEM'>> 5 and table_name like '%$'>> 6 />>>>no rows selected>>>>SQL> select count(*) from sys.link$;>>select count(*) from sys.link$>> *>>ERROR at line 1:>>ORA-01031: insufficient privileges>>>>>>SQL> select count(*) from sys.access$;>>>> COUNT(*)>>---------->> 10258>>>>There's no difference in ownership or object privileges between>>sys.link$ and sys.access$. I'm sure I'm overlooking something, but>>what?

>
>
> The fact that SYS.LINK$ and SYS.USER_HISTORY$ both contain plaintext
> passwords for the accounts. With a SYSDBA privileged account these
> values are visible; any non-SYSDBA account should not have access to
> such information, which may be a result of the Sarbanes-Oxley Act. Of
> course it is questinoable whether *anyone* should have access to
> plaintext account passwords, and I would have expected Oracle to
> maintain their policy of only storing hashed passwords in the data
> dictionary. Apparently they had a valid reason for having such views,
> but I cannot understand what that reason could be.
>
>
> David FItzjarrell
>

I was always sure, *all* sys owned tables must be granted to be accessed
(or too often connected as sysdba to verify it ;-) if
O7_dictionary_accessibility is set to false, so never had an idea to
verify it... Short test shows, indeed , only the 2 tables you mentioned
are concerned.